According to recent research by Tessian, 26% of employees have clicked on a phishing email at work in the past year. For this reason, and many others, there is no surprise that most CISOs are concerned about how phishing attacks are evolving.
Thankfully, email security solutions are always becoming more advanced and stopping more potentially malicious emails and attachments. However, it only takes one mistake or slip in judgement for an employee to click on a phishing link or follow the instructions of a social engineer, which can have devastating effects on a business.
Bulk phishing is the most common form of phishing attack. This is where a cybercriminal sends the same phishing email to a large number of employees or individuals. The messages typically impersonate a legitimate company in an attempt to steal personal data, login credentials or coerce the victim into sending them money. Some of the common companies that are impersonated are Apple, Amazon, Microsoft and LinkedIn.
These bulk phishing attacks often use language that creates a sense of urgency to stop the victim from taking time to check if the message is fraudulent. Whilst these phishing attacks are low effort and high volume, untrained or distracted employees may follow the instructions of a cybercriminal.
Some tell-tale signs of these attacks include:
• Language that creates a sense of urgency
• Redirects and shortened links, using services such as TinyURL or bit.ly
• Incorrect spelling, grammar or punctuation
• Email addresses and domains that don’t match
• Odd requests, such as asking for gift cards or transferring funds
Whereas bulk phishing attacks are high volume and low effort, spear phishing attacks are low volume and high effort. In these attacks, cybercriminals use open-source intelligence (OSINT) to gather information about their targets. For example, their name, position, employer, phone number, and previous job roles. The attacker will use this information to customise the phishing email to deceive the victim into believing the attacker can be trusted.
This information used to tailor the attacks can be easily gathered from sources such as LinkedIn, Facebook simple Google searches. The attacks are more likely to be successful as employees are more likely to follow the instructions or click a link from someone they believe they trust.
It can be difficult to detect a spear phishing attack, but employees should look out for:
• Emails with unsolicited attachments or links
• Language that creates a sense of urgency
• Emails addresses and sender names that do not match
• Inconsistencies in formatting
• Falsified forwarded emails
Whaling is a form of spear phishing that specifically targets high-level employees, such as an organisation’s C suite, directors or VPs.
Typically, the goal of these attacks is to gain access to the high-level employee’s account, also known as business email compromise (BEC). Once they have gained access they can abuse this to authorise transactions, email employees asking for sensitive information, or use high-level privileges to access systems and information to exfiltrate.
Smishing and Vishing
Whilst most phishing attacks use emails, some cybercriminals use SMS (smishing) and voice calls (vishing) to deceive their victims. Similar to email-based forms of phishing attacks, the goal of smishing and vishing is to deceive the victim into sharing sensitive information or sending money to the attacker. Cybercriminals are more likely to target consumers rather than businesses with these attacks, but it is important to be aware of this form of attack.
As with email phishing, individuals should not share information or follow the orders of an individual on an inbound voice call or SMS. It is also possible to Google search the phone number to ascertain if it is a legitimate call.
How To Keep your Business Protected
Email Security Solutions
There are many email security solutions on the market that can help keep your business safe. Some common features of these solutions include:
• AI-powered phishing detection
• Behavioural intelligence modelling
• DLP functionality
• Anti-spoofing policies and DMARC analysis
• Automated detection, investigation and remediation
Although email clients, such as Gmail and Microsoft Outlook have some of these features included as standard, most businesses rely on a third-party solution to increase their security posture and decrease the chance of falling victim to a phishing attack.
The Human Firewall
A traditional firewall is an IT system that monitors and filters inbound and outbound network traffic, blocking anything malicious. Typically, it acts as a boundary between a trusted network, and an untrusted network.
A human firewall is similar to a traditional firewall, however rather than being an IT system, the employees within a business are given the tools and education to reduce cyber risk.
The foundation of any strong human firewall is a comprehensive education and awareness program. This education program should give employees the skills to detect a potential cyberattack, and what actions to take to reduce the chance of falling victim to an attack. Phishing awareness training should include common phishing methods, examples of phishing emails, how employees can reduce the amount of information online that can be used for spear phishing attacks and how to report a potential phishing email.
The human firewall is important as employees are the final line of defence. In an ideal situation, the previous security controls will stop a phishing attack before it lands in an employee’s inbox. However, this is not always the case, so employees need to be able to correctly identify a phishing email.
In the worst-case scenario, if your email security solution does not stop a phishing email and an employee clicks on a malicious link and the attacker steals their login information, businesses need a method of preventing access to their account. There are solutions such as Conditional Access, which can stop unusual login attempts, but 99.9% of account compromise attacks can be stopped with the simple addition of multifactor authentication (MFA).
With MFA enabled, even if a cybercriminal has the login credentials for an employee, they will also need access to their phone, or biometrics to access their account. In terms of bang for your buck, MFA provides immense value and security for a business, however, does not take long to set up and is not expensive. For this reason, all businesses should implement MFA enables for all employees, no matter what.
Looking for Assistance?
Navigating the world of email security and phishing can be difficult for businesses, especially as the techniques are constantly evolving. For this reason, many businesses choose to work with a trusted cybersecurity professional to deploy and manage their email security solution. If you want assistance with this, or anything cybersecurity-related, contact us today.